Github.Com Distribution Distribution vulnerabilities

CVE-2026-35172 [HIGH] CWE-284 Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation ## summary: distribution can restore read access in `repo a` after an explicit delete when `storage.cache.blobdescriptor: redis` and `storage.delete.enabled: true` are both enabled. the delete path clears the shared digest descriptor but leaves stale repo-scoped membership b

CVE-2026-33540 [MEDIUM] CWE-918 Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm hi guys, commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31) contact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new) ## summary in pull-through cache mode, distribution discovers token auth endpo

CVE-2023-2253 Memory exhaustion in github.com/distribution/distribution Memory exhaustion in github.com/distribution/distribution Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.